[PATCH v5 0/3] md/raid10: fix r10bio width mismatches across reshape
From: Chen Cheng
Date: Mon Jun 22 2026 - 08:15:11 EST
From: Chen Cheng <chencheng@xxxxxxxxx>
Hi,
This series fixes slab out-of-bounds accesses in raid10 when reshape changes
the number of raid disks while regular I/O is still reusing r10bio objects
allocated under the previous geometry.
The bug is reproducible with a simple 4-disk to 5-disk reshape under write
load, for example:
mdadm -C /dev/md777 -l10 -n4 /dev/sda /dev/sdb /dev/sdc /dev/sdd
mkfs.ext4 /dev/md777
mount /dev/md777 /mnt/test
fsstress -d /mnt/test -n 24000 -p 8 -l 24 &
mdadm /dev/md777 --add /dev/sde
mdadm --grow /dev/md777 --raid-devices=5 \
--backup-file=/tmp/md-reshape-backup
kcsan report:
BUG: KASAN: slab-out-of-bounds in free_r10bio+0x1c4/0x260 [raid10]
Read of size 8 at addr ffff00008c2dfac8 by task ksoftirqd/0/15
free_r10bio
raid_end_bio_io
one_write_done
raid10_end_write_request
This series addresses the problem in three steps:
1. ensure the sync_action=reshape caller suspends and locks before start_reshape
2. covert the r10bio pool fixed-size from old geometry to new.
3. reorder r10bio free flow to avoid race when free r10bio.
Changes in v5(suggesst by yukuai):
- patch 2 simpify
- patch 3 use new way{reorder free r10bio flow} instead of
old way {bound reused r10bio devs[] walks by used_nr_devs}
Changes in v4:
- The sync_action=reshape path, caller now invokes
mddev_suspend_and_lock() before calling start_reshape()
- The md-cluster and dm-raid paths are unchanged, that is reach
start_reshape() with the mddev locked but without suspended.
Changes in v3:
- Replace freeze_array()/unfreeze_array() in raid10_start_reshape() with
mddev_suspend_and_lock_nointr()/mddev_unlock_and_resume(). freeze_array()
returns when nr_pending == nr_queued, which still allows retry-list items
to hold pool objects; mddev_suspend() provides the correct upper-layer
quiesce interface. (Suggested by Yu Kuai)
Changes in v2:
- add this cover letter
- convert r10bio_pool to a fixed-size kmalloc mempool
- rebuild r10bio_pool inside the freeze window before switching live reshape
geometry
- switch raid10_quiesce() to freeze_array()/unfreeze_array()
Testing:
- reproduced the original KASAN slab-out-of-bounds on 4-disk -> 5-disk
raid10 reshape with fsstress
- verified that this series fixes that reproducer
- exercised the 5-disk -> 4-disk reshape direction as well
Thanks,
Chen Cheng
Chen Cheng (3):
md: suspend array before raid10 reshape via sync_action
md/raid10: make r10bio_pool use fixed-size objects
md/raid10: bound reused r10bio devs[] walks by used_nr_devs
drivers/md/md.c | 22 ++++++++++++++----
drivers/md/raid10.c | 56 +++++++++++++++++++++++++++++++++------------
drivers/md/raid10.h | 4 +++-
3 files changed, 61 insertions(+), 21 deletions(-)
--
2.54.0